A method of protecting data items in an organizational computer network, including, defining multiple information profiles for classifying the data item, defining rules for protecting the data item belonging to a specific information profile, classifying the data item according to the defined information profiles, applying a protection method to the data item responsive to the classification and the defined rules, automatically updating the classification of the data item responsive to a change in the content or location of the data item; and automatically transforming the applied protection method, throughout the lifecycle of the data item, responsive to a change in classification or location of the data item, according to the defined rules.
|
1. A method for operating an architecture that controls access to confidential data by executing one or more data management policies when an attempt to transform the confidential data is detected, the method being performed by a computer system that operates with the architecture, the method comprising:
the computer system assigning one or more information profiles to a data item, wherein the one or more information profiles indicate a sensitivity level for the data item;
the computer system associating a defined set of one or more policies with the data item, wherein the defined set of one or more policies, when executed for the data item by the computer system, control how the data item is accessed, the control being based at least partially on the data item's indicated sensitivity level;
the computer system storing a hash value for the data item, the hash value being usable to identify the data item within the computer system in connection with one or more subsequent access events for that data item;
the computer system identifying an access event for the data item,
the computer system identifying the defined set of one or more policies that apply to the data item corresponding to the access event, based at least in part on the data item's hash value;
in response to identifying the defined set of one or more policies that apply to the data item corresponding to the access event, the computer system executing the defined set of policies for the data item to control or limit access to the data item in response to the identified access event; and
the computer system tracking execution of the defined set of policies for the data item by logging protection implementation information to a system log, wherein tracking the execution in the system log includes logging how protections were actually implemented on the data item during the execution of the defined set of policies for the data item.
19. One or more hardware storage devices having stored thereon computer-executable instructions that are executable by one or more processors of a computer system to cause the computer system to operate with an architecture that controls access to confidential data by executing one or more data management policies when an attempt to transform the confidential data is detected, execution of the computer-executable instructions causing the computer system to:
assign, by the computer system, one or more information profiles to a data item, wherein the one or more information profiles indicate a sensitivity level for the data item;
associate, by the computer system, a defined set of one or more policies with the data item, wherein the defined set of one or more policies, when executed for the data item by the computer system, control how the data item is accessed, the control being based at least partially on the data item's indicated sensitivity level;
store, by the computer system, a hash value for the data item, the hash value being usable to identify the data item within the computer system in connection with one or more subsequent access events for that data item;
identify, by the computer system, an access event for the data item,
identify, by the computer system, the defined set of one or more policies that apply to the data item corresponding to the access event, based at least in part on the data item's hash value;
in response to identifying the defined set of one or more policies that apply to the data item corresponding to the access event, execute, by the computer system, the defined set of policies for the data item to control or limit access to the data item in response to the identified access event; and
track, by the computer system, execution of the defined set of policies for the data item by logging protection implementation information to a system log, wherein tracking the execution in the system log includes logging how protections were actually implemented on the data item during the execution of the defined set of policies for the data item.
10. A computer system comprising:
one or more processors; and
one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are executable by the one or more processors to cause the computer system to operate with an architecture that controls access to confidential data by executing one or more data management policies when an attempt to transform the confidential data is detected, execution of the computer-executable instructions causing the computer system to:
assign, by the computer system, one or more information profiles to a data item, wherein the one or more information profiles indicate a sensitivity level for the data item;
associate, by the computer system, a defined set of one or more policies with the data item, wherein the defined set of one or more policies, when executed for the data item by the computer system, control how the data item is accessed, the control being based at least partially on the data item's indicated sensitivity level;
store, by the computer system, a hash value for the data item, the hash value being usable to identify the data item within the computer system in connection with one or more subsequent access events for that data item;
identify, by the computer system, an access event for the data item,
identify, by the computer system, the defined set of one or more policies that apply to the data item corresponding to the access event, based at least in part on the data item's hash value;
in response to identifying the defined set of one or more policies that apply to the data item corresponding to the access event, execute, by the computer system, the defined set of policies for the data item to control or limit access to the data item in response to the identified access event; and
track, by the computer system, execution of the defined set of policies for the data item by logging protection implementation information to a system log, wherein tracking the execution in the system log includes logging how protections were actually implemented on the data item during the execution of the defined set of policies for the data item.
2. The method of
3. The method of
4. The method of
5. The method of
6. The method of
7. The method of
8. The method of
9. The method of
11. The computer system of
12. The computer system of
13. The computer system of
14. The computer system of
15. The computer system of
16. The computer system of
17. The computer system of
18. The computer system of
20. The one or more hardware storage devices of
21. The computer system of
in addition to logging the protection implementation information to the system log, tracking the execution of the defined set of policies for the data item additionally includes providing a notification regarding the tracking.
|
This application is a continuation of U.S. patent application Ser. No. 14/872,585 filed on Oct. 1, 2015, entitled “System and Method for Automatic Data Protection in a Computer Network,” which issued as U.S. Pat. No. 9,838,432 on Dec. 5, 2017, which is a continuation of U.S. patent application Ser. No. 12/527,427 filed on Nov. 4, 2009, entitled “SYSTEM AND METHOD FOR AUTOMATIC DATA PROTECTION IN A COMPUTER NETWORK,” which issued as U.S. Pat. No. 9,218,500 on Dec. 22, 2015, which is a U.S. National Stage of International Application No. PCT/IL07/01079 filed on Sep. 2, 2007, entitled “A SYSTEM AND METHOD FOR AUTOMATIC DATA PROTECTION IN A COMPUTER NETWORK,” which claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 60/903,304 filed on Feb. 26, 2007, and entitled “System and method of automatic, adaptive and transformative of protection methods on data items.” This application expressly incorporates herein the entirety of the foregoing applications.
The present invention relates generally to a system and method for automatically protecting data in a computer network and specifically in a corporate environment.
The personal computer revolution has introduced a big challenge in protecting data in the corporate environment. In the past corporations were computerized by central mainframe computers or by mini computers. These systems had complete control of access to the data within them. Any attempt to access data was verified by the central computer and the central computer could prevent transfer of data to non-desired places. In contrast nowadays corporate data is generally accessed by personal computer networks, which are connected in many cases to external networks, for example the Internet. Each station generally stores data locally in various forms, for example as word processing files, spreadsheet files, emails and other forms. The end stations typically comprise less secure devices than the terminals that served the central computers, for example a desktop computer, a laptop computer or an external email account at an email provider. Data can easily be transferred out of the system with or without leaving information regarding the identity of the person that took the data, for example a person may copy the data to various types of removable media (e.g. a writeable CD, a writeable DVD, a floppy disk, or a disk-on-key). A person can also email data to an external email account and then access the data remotely.
The above described situation leaves the corporate data in a less secure state than in the past. Many scenarios can lead to information leakage either deliberately or accidentally, for example theft of a desktop computer, theft or loss of laptop computers, loss of a disk-on-key or other removable media. Additionally, an employee can easily send information to an external email provider and retrieve it using an external computer without any corporate limitations.
Various solutions have been suggested to tackle different aspects of protecting corporate information:
One method to tackle the problem is by installing network sniffers at strategic positions, for example next to a network firewall, to monitor content that leaves the corporate network. Typically a sniffer may reassemble TCP sessions and analyze the content to detect sensitive information leakage and trace it back to the sender. A few problems with this solution is that it is limited to information transmitted over the network and does not deal with other forms of information leaks such as copying information to a USB device. Additionally, the monitoring by the sniffer can easily be overcome by manipulating the data, for example by using encryption so that the sniffer cannot determine the content. Further additionally, since the method only detects data, which is detected by the algorithms implemented by the sniffer it does not detect all information leaks and is thus limited in its ability to enforce a policy.
A second method of tackling the problem is by installing an agent program on the computers of the corporate employees. The agent can monitor and control use of data, for example the copy and transmission of files from the computer, printing out content of a file, burning CDs and other actions. One drawback with this solution is that the agent may be circumvented by booting from a different operating system to gain control of the data on the disk without being limited by the agent program. Also once information leaves the employees station it is not protected.
A third method to tackle the problem is by implementing an enterprise digital rights management (E-DRM) system to provide persistent encryption to the corporate data. Typically all controlled data files are encrypted and they can only be accessed through the use of an application which runs in the background and enforces an access policy, for example requiring an access key or preventing a user from copying the data. The advantage of E-DRM over the use of an agent is that access policies can be enforced even after delivering the content to a recipient and stolen files cannot be accessed. However there are a few problems in implementing E-DRM in the real world:
1. Many systems need the information in its unencrypted form to function properly, for example relational data bases, tape backups, search engines, and applications which manipulate the data. Thus all these systems must incorporate the E-DRM application to function with the data. This puts a severe limitation on the hardware and software, which can be used and generally would increase their cost.
2. When dealing with external partners that need to access the information, for example an external corporate accountant or attorney or an outsourcing company, they too would need to implement the encryption system to access the data. However, it can be quite complicated to implement a key management system, which provides keys across multiple enterprises/bodies. Additionally, working with E-DRM puts a burden on the external entities. They may not be interested in installing specific software and/or implementing more complex procedures to deal with the data of the specific client.
3. In E-DRM and other persistent encryption mechanisms the author of a file is generally provided with the option to define, which policies to enforce on the file, for example to prevent printing or prevent copying excerpts (e.g. by cut and paste) from the file. Each author can implement different policies, which will cause confusion for the users of data in the corporation since they will not know ahead of time what actions can be applied to a specific data file.
Generally, systems for protecting data, protect data at a specific position in the network (e.g. preventing access to the content of a server by unauthorized users) or by applying protection when performing a specific action with the data (e.g. creating the data item and applying an encryption or transferring the data out of the network and applying an encryption).
An aspect of an embodiment of the invention, relates to a system and method for protecting data in a corporate network throughout the life cycle of the data. In an exemplary embodiment of the invention, when a data item is created or changed in the system, it is automatically classified to define an information profile according to which it will be treated. Some examples of data items are files, mail messages, web pages and buffers that hold content such as for implementing “cut and paste” and “drag and drop” operations.
In an exemplary embodiment of the invention, the information profile associated with the data item defines a protection method, which includes sets of rules that will be applied to the data item dynamically. Optionally, the protection method is affected by a few basic characteristics, namely: the nature of the data item defined by the information profile (e.g. confidential data, trade secret data, and public knowledge data), the location of the data item in the system (e.g. on a server database, on an endpoint nonvolatile medium such as a workstation disk, or on a removable media), the user accessing the data item (e.g. corporate manager, employee, visitor) and the location to which the data item is transferred.
In an exemplary embodiment of the invention, once an information profile is defined for the data item a protection method can be applied to the data item based on the rules governing the protection method associated with the information profile. Optionally, if any of the characteristics related to the data item are changed the protection method is changed correspondingly, for example if the data item is copied from the disk of an endpoint to a disk-on-key the protection method may be changed for example from an E-DRM protection form to a password protected encrypted form.
In an exemplary embodiment of the invention, when a data item is altered or edited the information profile associated with it may be updated and its protection method may be altered accordingly.
In an exemplary embodiment of the invention, the system includes a protection management server to aid in the implementation of the data protection method. Optionally, application of a protection method to an item may be performed at the endpoint (e.g. at a workstation, laptop, PDA, Blackberry, smart phone, etc.), at the host, or at the terminal server hosting the data item. Alternatively, application of the protection method may be performed on a server/appliance which intercepts data items between sources to a target location. Alternatively or additionally, both alternatives can coexist in the same environment.
There is thus provided according to an exemplary embodiment of the invention, a method of protecting data items in an organizational computer network, including: defining multiple information profiles for classifying the data item; defining rules for protecting the data item belonging to a specific information profile; classifying the data item according to the defined information profiles; applying a protection method to the data item responsive to the classification and the defined rules; automatically updating the classification of the data item responsive to a change in the content or location of the data item; and automatically transforming the applied protection method, throughout the lifecycle of the data item, responsive to a change in classification or location of the data item, according to the defined rules. Optionally, the protection method takes into account the location of the data item. In an exemplary embodiment of the invention, the protection method takes into account the user accessing the data item. Optionally, the data item is classified based on analysis of the content of the data item. In an exemplary embodiment of the invention, the data item is classified based on analysis of metadata associated with the data item. Optionally, the data item is classified based on analysis of the events, which led to the creation of the data item.
In an exemplary embodiment of the invention, the rules define a protection method transformation responsive to the source and destination of the data item. Optionally, the rules define a protection method transformation responsive to the current protection method applied to the data item. In an exemplary embodiment of the invention, the rules define a protection method transformation responsive to the identity of the transmitter and the receiver of the data item. Optionally, the rules define a protection method transformation responsive to the identity of the transmitter and the location of the receiver of the data item. In an exemplary embodiment of the invention, the rules define a protection method transformation responsive to the identity of the transmitter and the application receiving the data item. Optionally, the rules define a protection method transformation responsive to the identity of the transmitter and the media of the location receiving the data item.
In an exemplary embodiment of the invention, the rules define a protection method transformation responsive to the identity of the transmitter and the peripheral device receiving the data item. Optionally, the transformation of the protection method of the data item is logged to a log file. In an exemplary embodiment of the invention, the transformation of the protection method of the data item generates a notification to a user describing the method of accessing the data item with the new protection method. Optionally, the protection method prevents unauthorized access to the content of the data item. In an exemplary embodiment of the invention, the protection method verifies the integrity of the data item. Optionally, the protection method prevents unauthorized duplication of the content of the data item. In an exemplary embodiment of the invention, the protection method requires a password to access the data item.
In an exemplary embodiment of the invention, the protection method comprises encryption of the data item. Optionally, the protection method comprises manipulation of the data. In an exemplary embodiment of the invention, the protection method prevents the transmission of the data. Optionally, the transformation is performed by an agent application that is installed on a local endpoint of the computer network. In an exemplary embodiment of the invention, the transformation is performed by transmitting the data item to a server of the computer network. Optionally, the data item cannot be accessed until the applied protection is performed responsive to a matching of one of the defined rules.
There is additionally provided according to an exemplary embodiment of the invention, a system for protecting data items in an organizational computer network, including: a protection management server for recording information profiles; an administration console for defining rules for protecting data items belonging to a specific profile; an agent application for installing on endpoints to enforce data protection; wherein the agent application is adapted to classify the data items to a specific information profile upon their creation or change; wherein the agent is adapted to automatically enforce a protection method on the data item according to the defined rules that apply based on the profile classification that is applied to the data item; and wherein the agent is adapted to update the enforced protection method applied to the data item throughout the lifecycle of the data item responsive to a change in classification or location of the data item, according to the rules.
The present invention will be understood and better appreciated from the following detailed description taken in conjunction with the drawings. Identical structures, elements or parts, which appear in more than one figure, are generally labeled with the same or similar number in all the figures in which they appear, wherein:
In an exemplary embodiment of the invention, system 100 automatically controls protection of every data item 190 used in system 100 from its creation through its alteration until it is destroyed and no longer accessible. Optionally, the protection method applied to protect data items 190 may be altered based on the content of data item 190, the location of data item 190 and the user accessing data item 190.
In an exemplary embodiment of the invention, a protection management server 120 is connected to network 130 to manage data protection in network 130. In some embodiments of the invention, data server 110 may serve as protection management server 120 by installing a software application on data server 110, without adding a dedicated hardware device to serve as the protection management server. In some embodiments of the invention, a dedicated endpoint serves as an administrator console 140 to provide instructions to protection management server 120, thus increasing security by preventing access from any other endpoint. Alternatively, any endpoint 150 may be able to access protection management server 120 and serve as the administrator if the user provides appropriate credentials. Optionally, data items 190 may also be sent to external endpoints 170, which are used by people that are not employees of the organization, and may or may not allow installation of an agent software application on their endpoint to control access to data item 190. Optionally, system 100 handles data item 190 according to instructions from the administrator and may prevent employees from accessing and/or distributing information freely without some method of protection. In an exemplary embodiment of the invention, each data item 190 will be protected by a protection method according to the sensitivity of the information (i.e. based on the information profile), so that it will remain protected against intentional and unintentional attempts to be transferred or exposed to an unauthorized receiver. Optionally, one protection method is employed when an employee accesses data item 190 and a different protection method is employed if the employee emails data item 190 to a user in a different organization. Additionally, one protection method can be employed when the user accesses data item 190 on data server 110 and a different protection method can be employed if data item 190 is copied to the employees endpoint 150 or is copied to various types of removable media 160, for example a disk-on-key, a CDR, a writable DVD, a paper printout and other forms.
Optionally, in special cases the administrator can release a data item 190, for example by making a special rule for the information profile that the data item belongs to.
1. Credit Cards—a data item 190 that contain credit card numbers. This information is optionally identified based on content analysis of data item 190 or using a regular expression with a credit card pattern. Optionally, a data item in which this information appears multiple times, for example more than ten times, would be flagged as a credit card data item.
2. Finance data—a data item 190 that includes confidential information which is of economic importance regarding the organization, and should be available only to authorized employees. Optionally, finance data includes data that arrives from an accounting or auditor associate, for example via email. Additionally, finance data may include data that is derived from the accounting system of the organization. The accounting system may be a web based application or a client based application or files that are retrieved from a specific directory, for example from a directory named //finance/finance reports.
3. Human resource (HR) data—a human resource data item may include data items 190 disclosing information which is related to personal details of the employees of the company. Optionally, the data may be derived from an HR module of an Enterprise application.
4. Research and development (R&D) data—a data item 190, which is related to the research and development projects of the organization. Optionally, this includes information, which is of importance to the organization and the organization is interested in keeping secret. Some examples of indication that may be used to identify such data are files in MS “vsd” format and files that retrieved from the development file libraries of the organization.
5. Executives Only Data—data items 190, containing information which should only be seen by top ranking personnel that have been authorized to see the information.
6. Partner data—data items 190, containing information—regarding corporate partners or data that is transmitted or received from business partners of the organization.
7. Enterprise Portal Data—Data which is derived from intranet Web sites such as enterprise portals.
8. CRM Data—Customer records that are derived from the Customer Relationship Management system of the organization. Optionally, CRM data contains sensitive information such as names, Social Security Numbers, Addresses, and phone numbers of corporate clients and suppliers.
In an exemplary embodiment of the invention, to determine one or more appropriate information profiles for categorizing data item 190, various methods are employed, for example:
1. Content analysis—analyzing the content of data item 190 for key words, specific phrases, regular expressions, natural language processing or using other known classifier engines that analyze content.
2. Metadata analysis—analyzing metadata regarding data item 190, for example the name of the file, the type of file (e.g. word document, excel document, email message, picture file, movie file).
3. Event analysis—analyzing the event which brought about the existence of data item 190, for example being cut from a different item, where the item was placed (e.g. network location (URL), directory name), where the item was retrieved from or downloaded from, who created the item, which application created the item. As an example the administrator can define that all information from a specific source or created by a specific person or application will belong to a specific information profile.
In an exemplary embodiment of the invention, data item 190 may be assigned multiple information profiles. Alternatively, system 100 may select the most stringent or least stringent profile to represent data item 190, for example if an item belongs to two data profiles: a “finance data—profile” that is defined as secret and an “executives only data—profile” that is defined as “top secret”, system 100 will optionally select the “executives only data—profile” if it is designed to select the most stringent one. Optionally, if the multiple profiles' have the same security level system 100 selects one randomly or selects the first match to the rules of the profiles (e.g. as shown in
In an exemplary embodiment of the invention, once information profiles are defined the administrator needs to define sets of rules (220) which are to be applied to data item 190 based on the information profiles assigned to data item 190, and an action (e.g. an encryption form) that is to be applied to data item 190 defined by the following characteristics:
1. The source location of data item 190.
2. The destination location of data item 190.
In some embodiments of the invention, the location (either for the source or destination) may be a physical location such as a Disk-on-key, a CD drive, a specific library on a hard disk. Optionally, the location may be given by a Uniform Resource Locator (URL), or by other Universal Naming Conventions (UNC). Alternatively the location may be a logical location, for example based on a user identity or the identity of a group of users, for example “Finance Group” is construed to mean any place or data item 190 that is accessible by a finance group member. Another type of location can be an application (or group of applications) from which the data item is extracted or transferred to.
Optionally, more complex rules may take other characteristics into consideration, for example: the user accessing data item 190, the user that is to receive data item 190, and the current protection method applied to data item 190 or the access time. When a rule is said to be matched agent 180 will take action according to the rule.
Following is a list of exemplary action methods, which may be applied by the rule set to achieve the goals described above, according to an exemplary embodiment of the invention:
1. Implementing a protection policy for a data item using third party E-DRM products, for example Microsoft RMS5 EMC Authentica, Oracle Stellent/SealedMedia, Adobe Livecycle Rights Management and others. These products encrypt data item 190 and allow the definition of a policy, which is enforced on the user of the content, for example the policy may limit the number of uses, limit the identity of the user or limit the number of computers data item 190 can be used on. In some cases the receiver must contact an EDRM management server, or even maintain a live connection with an EDRM management server to receive permission to access data item 190.
2. Implementing proprietary or third party file based persistent encryption. The system can incorporate any persistent encryption mechanism and operate it on controlled data items, for example products like PGP, Voltage, Utimaco or even a proprietary encryption can be supplied with the appropriate application program interfaces (APIs).
3. Manipulation of the data, this includes semantic form conversion, for example conversion of a file from a text file to a PDF file or graphic file so the content cannot easily be edited with a similar application as used to create data item 190.
4. Setting the protection policy in a PDF file to prevent copy or print of the file.
5. Protect the item with a password, so that the user must know the password to gain access to data item 190.
6. Password protected zip archive to condense the size of data item 190 and prevent access without knowledge of the password.
7. Password protected Microsoft Office Document to prevent access without knowledge of the password.
8. PGP encryption and key management solutions to provide a strong encryption to data item 190 and provide a secure key transfer.
9. Apply a digital signature to data item 190 to assure that it was sent by the listed sender.
10. Apply a CRC check to data item 190 to verify that the file has not been altered.
11. Attach a disclaimer or warning to data item 190 to be brought to the attention of the recipient.
12. A mixture of two or more of the above methods, or other methods.
13. Removing any protection.
Optionally, responsive to any action performed on data item 190 by a user of system 100, protection management server 120 will instruct execution of protection method adaptation (230) to the protection method applied to data item 190 as defined by the rule set described above.
Examples of these rules are shown in
In an exemplary embodiment of the invention, actions taken in system 100 may be tracked, for example classifying a data item 190, implementing protection on a data item 190, and/or changing the protection on a data item 190. Optionally, tracking may include logging to agent 180, or sending a message to protection management server 120. If protection management server 120 is not available, messages may be stored at agent 180 to be transferred at a later time. Optionally, at protection management server 120 tracking may include logging (240) the change to a system log. Alternatively or additionally, tracking may include sending an alert to an administrator to take an immediate action or a delayed action. Further alternatively or additionally, tracking may include sending a notification to a specific user or a group of users. In some embodiments of the invention, administration console 140 may allow access to review tracking logs and/or other messages sent by any agent 180. In a first example for Info Stage create/edit, when data items that are categorized to the credit cards information profile are edited or created at a location associated with any domain user, an action of applying MS RMS Protection Policy will take place. This policy is to define a policy template that allows only internal corporate users to review the data item.
In a second example for Info Stage create/edit, when data items that are categorized to the finance data information profile are created at locations associated with users of the finance group (e.g. when the data item is being edited by a member of the finance group), an action of MS RMS Protection Policy will take place. This policy is to define a policy template that only finance users can review the data items.
In a third example for Info Stage create/edit, when data items that are categorized to the human resource (HR) data profile are created at a location associated with any domain user, an action of implementing Oracle Stellent IRM Protection Policy will take place. This policy is to define a policy template that allows only HR users to review the data items.
In a fourth example for Info Stage create/edit, when data items that are categorized to the executives only data profile are created at locations associated with members of the executive group, an action of password protection will be implemented on the data items.
In a fifth example for Info Stage create/edit, when data items that categorized to executives only data profile are created at logical location that are accessible to all users of the domain, an action of MS RMS Protection Policy will be implemented. This policy is to define a policy template that only members of the executive group can review the data items. Optionally, if more than one rule can be applied the first rule in sequence will be applied.
The second exemplary rule for Info Stage—transfer, shows data items that are categorized as belonging to a R&D data profile. The rule provides that such data items when transferred from locations associated with R&D group users to a location associated with a member of the R&D group (e.g. \\RnDRep\ClearCase, which is a shared directory of a repository that holds design documents for members of the R&D group). Optionally, the rule requires that the content will be converted to decrypted form in order to be able to allow control of the versions of the documents. This rule provides that the protection method will be transformed, for example from E-DRM Protection with a Policy:RnDOnly to decrypted form.
The third example for Info Stage—transfer shows a rule that provides that data items that are categorized as CRM data that are transferred from a location associated with an executives group member to a Disk on Key, the protection method is transformed from MS RMS Protection Policy:FinanceOnlyTemplate to Password Protect.
The fourth example for Info Stage—transfer shows a rule that provides that data items that are categorized to any information profile, if they are transferred from an executive group location to an Instant Messaging (IM) application they will be transferred without any protection. Thus, when a user that belongs to the executives group wants to do a copy/paste operation from a protected data items to an IM application, he/she will be able to do so. All other users will be blocked. In an exemplary embodiment of the invention, the goals of the protection method enforced by the rule set may vary, for example:
1. To prevent unauthorized access to the data.
2. To monitor and or record access to the data.
3. To limit access to the data to a specific station/user (i.e. to prevent further distribution) or to limit access to a specific number of times.
4. To allow a user to view the content of data item 190 but not alter data item 190.
5. To prevent the user from making a hard copy of the content of data item 190.
6. To verify that the file content has not been altered.
7. To verify that a specific user sent the data item.
8. To communicate securely with partners and customers.
In an exemplary embodiment of the invention, agent 180 notifies (340) protection management server 120 whenever a transformation is applied to data item 190. Optionally, as explained above the notification may be logged to the protection management server 120. Alternatively, it may cause protection management server 120 to initiate an alert (e.g. by email or by SMS) to an administrator to take actions or protection management server 120 may send notification (e.g. by email or SMS) to various users updating them regarding the transformation, for example sending them a password or description of the method required to access the content of data item 190. In some embodiments of the invention, agent 180 prompts the user for a password or notifies the user upon automatically selecting a password for the user. Optionally, the user may provide agent 180, ahead of time with one or more passwords to be applied in various circumstances, for example a password for all emails sent by the user to people from outside the organization. In an exemplary embodiment of the invention, the user notifies the recipient of the email as to the password that was selected, for example in a different email or by other means such as by telephone, fax or SMS.
In some embodiments of the invention, agent 180 is updated by protection management server 120 whenever there are changes to the rule set for enforcing protection of data items 190. Alternatively, whenever endpoint 150 is booted up or periodically, agent 180 polls protection management server 120 for rule updates. In some embodiments of the invention, when agent 180 is initially installed on an endpoint 150 it scans the entire disk, classifies and defines a protection method for every available item. Alternatively, only items that are accessed after installing agent 180 are checked. In some embodiments of the invention, agent 180 is also installed on data server 110 so that data items 190 on data server 110 will be classified even before being accessed by a user.
1. A capturer 410;
2. A classifier 420;
3. An agent communication manager (ACM) 430; and
4. An enforcer 440.
In an exemplary embodiment of the invention, content capturer 410 is required to take control of all content access on endpoint 150 to enforce the protection policy. In some embodiments of the invention, agent 180 only deals with specific content, for example data files and ignores files that are not of interest to system 100 (e.g. executable files). Optionally, capturer 410 includes various parts as required to handle any method or device by which content can be accessed or can enter and/or exit endpoint 150. A first method, which needs to be controlled is the access of data through the file system of endpoint 150, for example when a file is accessed by a user double clicking on the file, or by copying the file from one location to another. Optionally, capturer 410 implements a file system proxy (FSP) 412 which takes control of the file system interrupts and handles all file access including access to network files.
In an exemplary embodiment of the invention, FSP 412 supports four scenarios when accessing network files:
1. Downloading from a shared folder in the network to endpoint 150.
2. Uploading to a shared folder in the network from endpoint 150.
3. Accessing a file located in the network (e.g. to view or edit its content).
4. Copying a file from one location in the network to a different location in the network.
Optionally, FSP 412 includes a kernel mode file system filter driver and a user mode application. The filter driver intercepts open/create requests and checks if the request is directed to a monitored location. If the location is monitored the filter intercepts I/O operations from the user application. The filter then copies the file to an intermediate location, which may be volatile or nonvolatile, for example on the local disk of the user, and communicates with the user application to provide controlled access to the file.
In an exemplary embodiment of the invention, the user mode application initiates a classification process to determine the appropriate classification for the file. Optionally, protection is applied to the intermediate work file according to the policy rules for the determined classification. The filter then redirects file system calls (e.g. read requests) to the intermediate protected file as if it was located at the network location. Further details regarding the use of an intermediate file are described below. When the program accessing the file finishes, the filter driver closes the original file and closes and deletes the intermediate file.
A similar process is performed when uploading a file to a network location or working with a file directly from the network location.
Optionally, some functions that are described as the user mode implementation can be performed at the kernel mode and vise versa.
In some embodiments of the invention, some of the functions performed by FSP 412 are performed by proxy 125 instead of agent 180.
A second method by which content can be accessed at endpoint 150 is through the HTTP protocol (e.g. via an HTTP web browser). Optionally, agent 180 implements an HTTP proxy 414 to control content that is accessed through HTTP. Optionally, HTTP proxy 414 may be part of the agent application or may be a separate entity in the network (e.g. proxy 125). In a similar manner network protocols other than HTTP may be supported, for example FTP.
Following is an example of the use of HTTP proxy 414:
When accessing a monitored HTTP address, a networking filter component checks its redirection table, for example in MS windows this can be implemented through LSP, TDI, Kernel Sockets, NDIS or other components that can intercept network connections. The filter amends the address to the address of an HTTP proxy (e.g. an Apache Proxy). The proxy gets the request and classifies the content of the web page. The proxy then provides the content in its protected form to the HTTP proxy 414. Optionally, redirection is implemented either by the kernel mode filter or through the user mode process.
A third method by which content can be controlled is through the clipboard, for example when a user cuts or copies content from one place and pastes it in another. Optionally agent 180 implements a clipboard handler 416 by hooking into the clipboard system. An example of this is using a system hook on windows OS and capturing the WM_CHANGECB CHAIN notification. Optionally, agent 180 classifies the data stored by the clipboard and if data is defined to be protected, agent 180 places a redirector object instead in the clipboard. Optionally, when a process requests the data from the clipboard, the request is delegated to agent 180, which decides if to provide the data to the requesting process, according to the rules defined for the classification of the data and the classification of the destination data item into which the data is to be pasted. In some cases the protection scheme applied to the target document is changed with or without giving warning to the user before pasting the data into the target document. Alternatively, agent 180 may block the pasting process altogether. Optionally, the classification of the resulting data item 190 is updated to reflect the results of the pasting process.
A fourth method by which content can be accessed is by using a “drag and drop” operation, for example to move text between documents. Optionally, agent 180 controls “drag and drop” handling by hooking into the “drag and drop” handler of the operating system. In MS windows this may be implemented by placing a hidden window under the cursor, and analyzing the motion of the mouse. Optionally, after determining the details of the “drag and drop” process that is invoked the event can be handled like “cut and paste”.
A fifth method for controlling content access is by providing an application plugin 418 to control content access in various applications, for example MS office, Outlook Express, Internet Explorer or other known applications. Optionally, an application plugin can provide capturer 410 with capabilities specific to the application to ensure that a data item 190 cannot be manipulated other than according to the policy of system 100, for example cannot be printed without authorization. In some embodiments of the invention, capturer 410 may include other parts to control access to content on endpoint 150.
In an exemplary embodiment of the invention, once capturer 410 of agent 180 intercepts a data item 190 it provides the item to classifier 420. Classifier 420 determines a classification for data item 190 as described above. In some embodiments of the invention, classifier 420 first checks to see if data item 190 was previously classified, for example data item 190 that was created by a different user and transmitted to the current user, would optionally already be classified. Optionally, the previous classification is either attached to the data item 190, for example by adding an information profile tag to the file (e.g. embedded in the file data in a hidden form, in a metadata section of the file or in a metadata section of the file system). Alternatively, it can be implemented by a separate database, for example on protection management server 120, by holding a key, which represents a hash of data item 190 or a URI, which identifies data item 190 within system 100.
After determining the classification, agent 180 determines if any rules are applicable to the action being performed by the user, for example if a change in the protection method is required. Optionally, agent 180 uses ACM 430 to communicate with a server communication manager (SCM) on protection management server 120 to retrieve the policy rules that are currently defined. As mentioned above agent 180 may retrieve the rules at various times, for example for every transaction, periodically, or when initially loading agent 180.
Once the classification of data item 190 is determined and policy rules are obtained; agent 180 uses enforcer 440 to enforce the rules of the policy set for data items 190 with the determined classification. Enforcer 440 determines where data item 190 is coming from, where data item 190 is going, which protection method is to be applied and then enforcer 440 enforces the rules of the policy by applying or transforming the protection method for data item 190.
In an exemplary embodiment of the invention, enforcer 440 applies the protection method without intervention of the user. Optionally, enforcer 440 invokes a protection application and obtains certification to be able to remove the protection method from data item 190 and apply a different protection method. In some embodiments of the invention, enforcer 440 provides a master key or generates an application dedicated master key to apply the protection method. Optionally, enforcer 440 stores the key at protection management server 120 so that it may be accessed by other agents 180 if necessary to change the protection applied to data item 190. Optionally, the protection application handles the master key as any other key that is managed, and agent 180 is responsible to apply the key on data item 190.
As an example, RMS protection policy is applied by the use of a special master key that is provided to enforcer 440 by the RMS application. Upon installation agent 180 creates the master key for RMS using the standard RMS software developer kit (SDK). Optionally, the master key is created by the use of a dedicated system domain user. In some embodiments of the invention, the master key is created in a way that binds it to a specific machine as an RMS item that is protected against tampering. This reduces the threat of abusing the master key by taking it and using it on another machine. Optionally, RMS builds a protection policy template, which is a collection of rights defining: which users can view the data item, which users can edit it, print it and so forth. In Oracle IRM the policy template is called a Context. In an exemplary embodiment of the invention, some or all of agents 180 may use the master key to remove and apply protection schemes. Optionally, agent 180 protects the master key so that it cannot be used directly by a user or an application without control by agent 180.
An example of implementation of automatic data protection by agent 180 is to make a copy of a file that is protected by an RMS protection method from data server 110 to removable media 160. Optionally, if the user is authorized (e.g. a manager) enforcer 440 will transform the protection method to a password protected file so that the file can be used outside of network 130, for example as shown by rule 3 of info stage—transfer in
In an exemplary embodiment of the invention, agent 180 serves as a virtual proxy between the source and destination of data item 190. Optionally, one side may access data item 190 in one form and the other side may access data item 190 in another form, for example a file is stored on data server 120 in decrypted form but the policy rules define that the user be provided the file in an RMS encrypted form (e.g. as shown according to rule 4 of Info Stage—Create/Edit and rule 2 of Info Stage—Transfer in
In an exemplary embodiment of the invention, the above method for dealing with data items with different protection methods on each side is applied when copying or moving data item 190 from one location to another and also for accessing a remote data item 190 by an application, for example to edit a word file located on data server 120 using MS Word or to access data from a database located on data server 120 using a financial application.
In some embodiments of the invention, agent 180 verifies its integrity and the integrity of data server 110 and/or protection management server 120 to prevent a user from constructing a fraudulent network to gain access to protected data. In an exemplary case, data item 190 is kept in decrypted form on data server 110 and is provided in encrypted form to endpoint 150. Optionally, the user can borrow endpoint 150 and connect it to a mock data server (e.g. with the same names and addresses as data server 110), then the user can store a copy of data item 190 to the mock data server using agent 180 and retrieve it in decrypted form. Optionally, to prevent this, agent 180 performs a mutual authentication (e.g. using Kerberos or other domain verification methods, which authenticate with protection management server 120) to verify the identity of the servers every time it is turned on, or for every transformation of data to prevent such fraud.
In some embodiments of the invention, agent 180 can function even when not connected to the network once the policy information from protection management server 120 is downloaded. Optionally, agent 180 may prepare a log file to update protection management server 120 when reconnected to the network.
It should be appreciated that the above described methods and apparatus may be varied in many ways, including omitting or adding steps, changing the order of steps and the type of devices used. It should be appreciated that different features may be combined in different ways. In particular, not all the features shown above in a particular embodiment are necessary in every embodiment of the invention. Further combinations of the above features are also considered to be within the scope of some embodiments of the invention.
It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather the scope of the present invention is defined only by the claims, which follow.
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
6202091, | Dec 08 1997 | RPX CLEARINGHOUSE LLC | Process and apparatus for initializing a computer from power up |
6317838, | Apr 29 1998 | EVIDAN | Method and architecture to provide a secured remote access to private resources |
6530024, | Nov 20 1998 | CHECK POINT SOFTWARE TECHNOLOGIES, INC | Adaptive feedback security system and method |
7444506, | Dec 28 2001 | FATPIPE NETWORKS PRIVATE LIMITED | Selective encryption with parallel networks |
7716716, | Jun 24 2004 | T-MOBILE INNOVATIONS LLC | Method and system for architecting enterprise data security |
7734600, | Feb 05 2003 | Time Warner, Inc | Apparatus, method and system to implement an integrated data security layer |
7827294, | May 06 2004 | Liberty Peak Ventures, LLC | System and method for dynamic security provisioning of computing resources |
7840992, | Sep 28 2006 | EMC IP HOLDING COMPANY LLC | System and method for environmentally aware data protection |
7891001, | Aug 26 2005 | BAE SYSTEMS APPLIED INTELLIGENCE US CORP | Methods and apparatus providing security within a network |
7958147, | Sep 13 2005 | Method for providing customized and automated security assistance, a document marking regime, and central tracking and control for sensitive or classified documents in electronic format | |
8037290, | Jul 01 2005 | GEN DIGITAL INC | Preboot security data update |
8127366, | Sep 30 2003 | Intellectual Ventures I LLC | Method and apparatus for transitioning between states of security policies used to secure electronic documents |
8381297, | Dec 13 2005 | CUPP Computing AS | System and method for providing network security to mobile devices |
8590002, | Nov 29 2006 | JPMORGAN CHASE BANK, N A , AS ADMINISTRATIVE AGENT | System, method and computer program product for maintaining a confidentiality of data on a network |
9218500, | Feb 26 2007 | Microsoft Technology Licensing, LLC | System and method for automatic data protection in a computer network |
20020174352, | |||
20030105734, | |||
20040054896, | |||
20040059931, | |||
20040123145, | |||
20040172550, | |||
20050033757, | |||
20050066165, | |||
20050138081, | |||
20050204404, | |||
20050251573, | |||
20050274792, | |||
20050283824, | |||
20050289358, | |||
20060004819, | |||
20060041445, | |||
20060048224, | |||
20060120526, | |||
20060123233, | |||
20060259950, | |||
20060288207, | |||
20070079117, | |||
20070113266, | |||
20070136397, | |||
20070143824, | |||
20070174909, | |||
20070192385, | |||
20080209553, | |||
DE10152121, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Aug 13 2009 | ELDAR, YUVAL | Secure Islands Technologies Ltd | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044238 | /0583 | |
Aug 13 2009 | OZ, ROEE | Secure Islands Technologies Ltd | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044238 | /0583 | |
May 28 2017 | Secure Islands Technologies Ltd | MICROSOFT ISRAEL RESEARCH AND DEVELOPMENT 2002 LTD | MERGER SEE DOCUMENT FOR DETAILS | 048677 | /0451 | |
Nov 28 2017 | MICROSOFT ISRAEL RESEARCH AND DEVELOPMENT (2002) LTD | (assignment on the face of the patent) | / | |||
Sep 30 2021 | MICROSOFT ISRAEL RESEARCH AND DEVELOPMENT 2002 LTD | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 057850 | /0952 | |
Oct 12 2021 | Microsoft Corporation | Microsoft Technology Licensing, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 057900 | /0601 |
Date | Maintenance Fee Events |
Nov 28 2017 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
Jan 18 2023 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Date | Maintenance Schedule |
Jul 30 2022 | 4 years fee payment window open |
Jan 30 2023 | 6 months grace period start (w surcharge) |
Jul 30 2023 | patent expiry (for year 4) |
Jul 30 2025 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jul 30 2026 | 8 years fee payment window open |
Jan 30 2027 | 6 months grace period start (w surcharge) |
Jul 30 2027 | patent expiry (for year 8) |
Jul 30 2029 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jul 30 2030 | 12 years fee payment window open |
Jan 30 2031 | 6 months grace period start (w surcharge) |
Jul 30 2031 | patent expiry (for year 12) |
Jul 30 2033 | 2 years to revive unintentionally abandoned end. (for year 12) |